PUBLIC-KEY CRYPTOGRAPHIC SCHEMES SECURE AGAINST AN 
ADAPTIVE CHOSEN CIPHERTEXT ATTACK IN THE STANDARD MODEL 



BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION 

The present invention relates to a public-key 
cryptographic scheme and cryptographic communications 
using public-key cryptography. 

DESCRIPTION OF THE RELATED ART 

Various types of public-key cryptographic 
schemes have been proposed to date. Of these schemes, 
the most famous and most practical public-key 
cryptographic scheme is described in: 

a document 1: "R. L. Rivest, A. Shamir, L. 
Adleman: A method for obtaining digital signatures and 
public-key cryptosystems, Commun. of the ACM, Vol. 21, 
No. 2, pp. 120-126, 1978". 

Efficient public-key cryptographic schemes 
using elliptic curves are known as described in: 

a document 2: "V. S. Miller: Use of Elliptic 
Curves in Cryptography, Proc. of Crypto' 85, LNCS218, 
Sprinter-Verlag, pp. 417-426 (1985); 

a document 3: "N . Koblitz: Elliptic Curve 
Cryptosystems, Math. Comp., 48, 177, pp. 203-20 9 
(1987) "; and the like. 

Known cryptographic schemes capable of 



verifying security against chosen plaintext attacks 
include: 

a document 4: "M. 0. Rabin: Digital 
Signatures and Public-Key Encryptions as Intractable as 
Factorization, MIT, Technical Report, MIT/LCS/TR-212 
(1979) "; 

a document 5: "T. ElGamal: A Public Key 
Cryptosystem and a Signature Scheme Based on Discrete 
Logarithms, IEEE Trans. On Information Theory, IT-31, 
4, pp. 469-472 (1985)"; 

a document 6: "S. Goldwasser and S. Micali: 
Probabilistic Encryption, JCSS, 28, 2, pp. 270-299 

(1984) ; 

a document 7: "M. Blum and S. Goldwasser: An 
Efficient probabilistic public-key encryption scheme 
which hides all partial information, Proc. of 
Crypto' 84, LNCS196, Springer-Verlag, pp. 289-299 

(1985) "; 

a document 8: S. Goldwasser and M. Bellare: 
Lecture Notes on Cryptography, http://www- 
cse.ucsd.edu/users/mihir/ (1997)"; and 

a document 9: "T. Okamoto and S. Uchiyama: A 
new Public-Key Cryptosystem as Secure as Factoring, 
Proc. of Eurocrypt' 98, LNCS1403, Springer-Verlag, pp. 
308-318 (1998)". 

Known cryptographic schemes capable of 
verifying security against chosen ciphertext attacks 
include : 



a document 10: "D. Dolve, C. Dwork and M. 
Naor: Non-malleable cryptography, In 23rd Annual ACM 
Symposium on Theory of Computing, pp. 542-552 (1991)"; 

a document 11: "M. Naor and M. Yung: Public- 
key cryptosystems probably secure against chosen 
ciphertext attacks, Proc . of STOC, ACM Press, pp. 427- 
437 (1990)"; 

a document 12: "M. Bellare and P. Rogaway: 
Optimal Asymmetric Encryption How to Encrypt with RSA, 
Proc. of Eurocrypt' 94, LNCS950, Springer-verlag, pp. 
92-111 (1994)"; and 

a document 13: "R. Cramer and V. Shoup : A 
practical Public Key Cryptosystem Probably Secure 
against Adaptive Chosen Ciphertext Attack, Proc. of 
Crypto' 98, LNCS1462, Springer-Verlag, pp. 13-25 
(1998) " . 

A document 14: "M. Bellare, A. Desai, D. 
Pointcheval and P. Rogaway: Relations Among Notions of 
Security for Public-Key Encryption Schemes, Proc. of 
Crypto* 98, LNSC1462, Sprinter-Verlag, pp. 26-45 
(1998)", indicates the equivalency between IND-CCA2 
(semantically secure (indistinguishable) against 
adaptive chosen ciphertext attacks) and NM-CCA2 (non- 
malleable against adaptive chosen ciphertext attacks) . 
A public-key cryptographic scheme satisfying this 
condition is presently considered most secure. 

Although the public-key cryptographic scheme 
described in the document 12 is practical, security is 



verified on the assumption that an ideal random 
function exists. Since it is impossible to configure 
an ideal random function in a real system, the ideal 
random function is replaced with a practical hash 
function in order to apply the scheme of the document 
12 to the real system. Therefore, security cannot be 
verified in the real system. 

The document 13 provides a public-key 
cryptographic scheme capable of verifying IND-CCA2 on 
the assumption that a general one-way hash function 
exists instead of an ideal random function. Since the 
general one-way hash function can be configured really 
(under a cryptographic assumption) , the scheme 
described in the document 13 can verify security in a 
standard model. However, when it is applied to a real 
system, a practical hash function such as SHA-1 is used 
by assuming it as a general hash function in order to 
improve the efficiency. Therefore, a strong assumption 
is incorporated in order to verify security. Although 
the document 13 proposes a public-key cryptographic 
scheme which does not assume the existence of a general 
one-way hash function, the efficiency of this scheme is 
inferior to a scheme which assumes the existence of a 
general one-way hash function. 

SUMMARY OF THE INVENTION 

It is a main object of the present invention 
to provide a public-key cryptographic scheme which is 



practical and capable of verifying security (IND-CCA2) 
against strongest attacks or adaptive chosen ciphertext 
attacks in a standard model (a real computer model not 
assuming the existence .of an ideal function) . 

It is another object of the present invention 
to provide a public-key cryptographic scheme which is 
practical and capable of verifying security even if it 
is applied to a real system, by assuming only the 
difficulty of the Dif f e-Hellman decision problem. 

It is another object of the invention to 
provide a cryptographic communication method using the 
public-key cryptographic scheme of the invention, a 
program, an apparatus and a system for executing the 
method. 

In order to achieve the above objects of the 
invention, a ciphertext is created by using a 
combination of a plaintext and random numbers in order 
to reject an illegal ciphertext input to a (simulated) 
deciphering oracle and to guarantee security against 
adaptive chosen ciphertext attacks. The environment 
given a deciphering oracle means an environment which 
unconditionally gives the deciphered results of any 
ciphertext excepting a target ciphertext. According to 
one of specific public-key cryptographic schemes, the 
following secret-key is created: 

• Xi , X 2 , yil , 2/12, V21 , V22 , Z e Zq 

and the following public key is created: 



• p, g : prime number (q is a prime factor of p-1) 

• 9U92 € Zp : ordpfoi) = ord p (^ 2 ) = g 

• c = gi Xl g 2 X2 modp, di = gi yil g 2 Vl2 modp, d 2 = gi Vil g 2 y22 mod p, h = 51* mod 

• k u k 2t kz : positive constant (l0* 1+fc2 < g, 10* 3 < g, 10*i+*2+*3 < p ) 

(ord() indicates an order) 

A sender generates a random number (X = a a | | 
<X 2 (laj = k lf |a 2 | = k 2 ) for a plaintext m (|m| = k 3 
where |x| indicates the number of digits of x) , and 
calculates : 

m = a\\m 

A random number reZq is selected, and the following is 
calculated: 

Mi = gi r mod p, u 2 = g 2 mod p, e =m h r mod p, v = g x ai c r di ar d 2 mr mod p 

A ciphertext (u x , u 2 , e, v) is transmitted to a 
receiver . 

By using a secret-key of the receiver and the 
received ciphertext, the receiver calculates ol\, <x' 2 , 
m' (|0C J = k x , |(X' 2 l = k 2 ) , and |m'| = k 3 which satisfy: 

a 'il|a4l|™' = e/ui z modp 

If the following is satisfied; 



m' is output as the deciphered results (where 0C' = (X^ 
II <X' 2 ), whereas if not satisfied, the effect that the 
received ciphertext is rejected is output as the 
decipher results. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a diagram showing the structure of 
a system according to an embodiment of the invention. 

Fig. 2 is a diagram showing the internal 
structure of a sender side apparatus of the embodiment. 

Fig. 3 is a diagram showing the internal 
structure of a receiver side apparatus of the 
embodiment . 

Fig. 4 is a diagram showing the outline of a 
second embodiment of the invention. 

Fig. 5 is a diagram showing the outline of a 
fourth embodiment of the invention. 

Fig. 6 is a diagram showing the outline of a 
sixth embodiment of the invention. 

DETAILED DESCRIPTION OF THE EMBODIMENTS 

Embodiments of the invention will be 
described with reference to the accompanying drawings. 

Fig. 1 is a diagram showing the structure of 
a system according to an embodiment of the invention. 
This system is constituted of a sender side apparatus 
100 and a receiver side apparatus 200. The sender side 
apparatus 100 and receiver side apparatus 200 are 



connected by a communication line 300. 

Fig. 2 is a diagram showing the internal 
structure of the sender side apparatus 100 of the 
embodiment. The sender side apparatus 100 has a random 
number generator unit 101, an exponentiation unit 102, 
a calculation unit 103,. a modular calculation unit 104, 
a memory unit 105, a .communication unit 10 6, an input 
unit 107 and an encipher unit 108. A plaintext m to be 
enciphered is input from the input unit 107, created on 
the sender side apparatus 100, or supplied from the 
communication unit 106 or an unrepresented storage 
unit . 

Fig. 3 is a diagram showing the internal 
structure of the receiver side apparatus 200 of the 
embodiment. The receiver side apparatus 200 has a key 
generator unit 201, an exponentiation unit 202, a 
modular calculation unit 203, a calculation unit 204, a 
memory unit 205, a communication unit 206 and a 
decipher unit 207. Although not shown, the receiver 
side apparatus has an output unit for supplying the 
user (receiver) of the apparatus with the deciphered 
results by means of display, sounds and the like. 

The sender side apparatus 100 and receiver 
side apparatus 200 may be a computer having a CPU and a 
memory. 

The random number generator unit 101, 
exponentiation units 102 and 202, modular calculation 
units 104 and 204, key generator unit 201, encipher 



unit 108 and decipher unit 207 each may be a custom 
processor matching the length of bits to be processed, 
or may be realized by software programs running on a 
central processing unit (CPU) . 

Processes for key generation, 
encipher/decipher and ciphertext transmission/reception 
to be described in the following embodiments are 
realized by software programs running on the CPU. The 
software programs use the above-mentioned units . 

Each software program is stored in a computer 
readable storage medium such as a portable storage 
medium and a communication medium on the communication 
line . 

I First Embodiment 

This embodiment describes a public-key 
cryptographic scheme. 

1. Key Generating Process 

In response to an operation by a receiver B, 
the key generator unit 201 of the reception side 
apparatus 200 generates beforehand secret information 
constituted of seven numbers: 



and public information: 
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• G,G' : finite (multiplicative) group GQG' 

• q : prime number (the order of G) 
•9U92 e G 

• c = gi*ig 2 X2 , di = gi™-gj**, d 2 = gi V21 92 yM , h = gi z , 

• 7r : X\ x X 2 x Af — ► (?' : one-to-one mapping 

• 7T- 1 : Im(7r) — > X\ x X? x M 

where the group G is a partial group of the group G 1 , X x 
and X 2 are an infinite set of positive integers which 
satisfy: 

ai||a2 < g (Vaj e X u Va 2 € X 2 ) 

M is a plaintext space, and | | represents a 
concatenation of bit trains . The public information is 
supplied to the sender side apparatus 100 or made 
public, via the communication line 300 or the like. A 
publicizing method may be registration in the third 
party (public information management facilities) or may 
be a well-known method. Other information is stored in 
the memory unit 205. 

2. Encipher/Decipher Process 

(1) In response to an operation by a sender 
A, the random number generator unit 101 of the sender 
side apparatus 100 selects random numbers K 1 <=X 1 , « 2 gX 2 , 
reZq for the plaintext m (itieM) , and the exponentiation 
unit 102, calculation unit 103 and modular calculation 
unit 104 calculate: 

«i = 9i r , u 2 = g 2 r , e = 7r(ai, a 2 , m)h r , v = gi ai cTdi ar d 2 mr 
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where (X = a x | | a 2 . In response to an operation by the 
sender A, the communication apparatus 10 6 of the sender 
side apparatus 100 transmits the ciphertext (u lf u 2 , e, 
v) to the receiver side apparatus 200 via the 
communication line 300. 

(2) In response to an operation by the 
receiver B, the exponentiation unit 202, modular 
calculation unit 203 and calculation unit 204 of the 
receiver side apparatus 200 calculate, from the 
received ciphertext and by using the secret 
information, a' lf (x' 2 , m' «X\^X lr «' 2 eX 2 , m' eM) which 
satisfy: 

Tr{a! x ,a' 2 ,rri) = e/ui z 

If the following is satisfied: 

gi a ' 1 ui 3!l+0 '' yil+m 'yn U2 x *+ a 'w+™'v™ = v 

m* is output as the deciphered results {where a' = OL\ 
M a' 2 ), whereas if not satisfied, the effect that the 
received ciphertext is rejected is output as the 
decipher results. 

With the scheme of this embodiment, it is 
possible to be semantically secure against adaptive 
chosen ciphertext attacks on the assumption of the 
Diffie-Hellman decision problem in G. The Diffie- 
Hellman decision problem is a problem of deciding 
whether a given sequence 5 belongs to which one of the 



sets : 
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D = {(91,92, 9i r ,92 r ) I r € Z,}, R = {(gi,92,9i ri ,92 r2 ) \ r u r 2 € Z„ n # r 2 } 

relative to g x , g 2 eG: 

If it is difficult to solve the Diffie- 
Hellman decision problem at a probability better than 
1/2, it is said that the Dif f ie-Hellman decision 
problem is difficult (for the Dif f ie-Hellman decision 
problem, refer to the document 13 and the like) . 

The procedure of verifying security shows 
that if an algorithm capable of attacking the 
embodiment method exists, by using this algorithm 
(specifically, by the method similar to the method 
described in the document 12), an algorithm for solving 
the Dif f ie-Hellman decision problem can be configured. 

Even if the algorithm for solving the Diffie- 
Hellman decision problem exists, since an algorithm 
capable of attacking the embodiment method is not still 
found, attacking the embodiment method is more 
difficult than solving at least the Dif f ie-Hellman 
decision problem. 

With the embodiment method, when a ciphertext 
is generated in response to an operation by the sender 
A, the sender side apparatus 100 selects beforehand the 
random numbers O^eX,, <X 2 (=X 2 and rsZq and calculates and 
stores beforehand: 



«l = <7i r , u 2 =g 2 r , h r y 9i ai (Tdi 



Therefore, a load of an encipher process can be reduced 
considerably and the process time can be shortened. 

II Second Embodiment 

The second embodiment shows one of the 
methods of realizing the public-key cryptographic 
scheme of the fist embodiment, and adopts concatenation 
of three parameters as a function TT. Fig. 4 shows the 
outline of this embodiment. 

1. Key Generation Process 

In response to an operation by the receiver 
B, the key generator unit 201 of the reception side 
apparatus 200 generates beforehand secret information: 

• xi,x 2 ,yii,yi2,y2i,y22,z e Z q 

and public information: 

• P> Q '■ prime number (q is a prime factor of p-1) 

• 91,92 € Z p : ordp(pi) = ord p (^ 2 ) = q 

• c = gi xl 92 X2 mod p, d x = gi yil g2 yi2 mod p, d 2 = gi yil 92 m2 mod p, h = gi z modp, 
•ki,k2,k 3 : positive constant (io*i +fe 2 < g, 10* 3 < q, l^+^+^s < p ) 

(ord() indicates an order) 

The public information is supplied to the sender side 
apparatus 100 or made public, via the communication 
line 300 or the like. A publicizing method may be 
registration in the third party (public information 
management facilities) or may be a well-known method. 



Other information is stored in the memory unit 205. 
2 . Encipher/Decipher Process 

(1) In response to an operation by the 
sender A, the random number generator unit 101 of the 
sender side apparatus 100 selects random numbers (X = 0^ 
II <X 2 (lOCj = ki, |0C 2 | = k 2 ) for a plaintext m (|m| = k 3 , 
where |x| indicates the number of digits of x) (step 
401), and calculates (Step 402): 

m = a\\m 

The random number generator unit 101 further selects a 
random number reZq, and the exponentiation unit 102, 
calculation unit 103 and modular calculation unit 104 
calculates : 

mi = gi mod p, u 2 = gi r mod p, e = m h r mod p, v = gi ai c r d 1 ar d 2 Tnr mod p 

In response to an operation by the sender A, the 
communication apparatus 106 of the sender side 
apparatus 100 transmits (u l# u 2 , e, v) as the ciphertext 
to the receiver side apparatus 200 of the receiver B 
via the communication line 300 (Step 403) . 

(2) In response to an operation by the 
receiver B, the exponentiation unit 202, modular 
calculation unit 203 and calculation unit 204 of the 
receiver side apparatus 200 calculate (Step 404), from 
the received ciphertext and by using the secret 
information, 0T lf <X» 2 , m» (|0t\| = k x , |«' 2 | = k 2 , |m'| = 
k 3 ) which satisfy: 
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^lll^H™' = e / u i z modp 

If the following is satisfied (Step 405) : 

g 1 <*iu 1 x i +a 'y»+ m 'v*iu 2 X2+a,yi2+m ' y * i = v (mod p) 

m' is output as the deciphered results (where 0C = a } ± 
II (X' 2 ) (Step 406), whereas if not satisfied, the effect 
that the received ciphertext is rejected is output as 
the decipher results (Step 407) . 

With the embodiment method, when a ciphertext 
is generated in response to an operation by the sender 
A, the sender side apparatus 100 selects beforehand the 
random numbers <x lf <X 2 ( 1 0C X | = k x , | <X 2 1 = k 2 ) and rsZq and 
calculates and stores beforehand: 

«i — 9i r mod p, u 2 = g 2 r mod p, h r mod p, g 1 ai c r di ar mod p 

Therefore, a load of an encipher process can be reduced 
considerably . 

Ill Third Embodiment 

In this embodiment, the message sender A 
enciphers transmission data m to the receiver B by 
common-key encipher (symmetric cryptography) , and the 
common key used is enciphered by the public-key 
cryptographic scheme of the first embodiment to be sent 
to the receiver B. 

1. Key Generating Process 



In response to an operation by the receiver 
B, the key generator unit 201 of the reception side 
apparatus 200 generates beforehand secret information: 

•*i,a?2,yii,yi2,Jtei,Jte2,2€2^ 

and public information: 

• G,G' : finite (multiplicative) group G C G' 

• g : prime number (the order of G) 
•9i,92 e G 

•c = 9i* l g 2 X2 , di = 5l yil 52 yi2 , d 2 = gi V21 92 v ", h = 9l *, 

• 7t : X\ x X 2 x M — y G' : one-to-one mapping 

• 7T" 1 : Im(x) — Xi x X 2 x M 

• E : symmetric encipher function 

where the group G is a partial group of the group G', X 1 
and X 2 are an infinite set of positive integers which 
satisfy: 

«i||<*2 < q (Vai € X x , Va 2 € X 2 ) 

M is a key space. The public information is supplied 
to the sender side apparatus 100 or made public, via 
the communication line 300 or the like. A publicizing 
method may be registration in the third party (public 
information management facilities) or may be a well- 
known method. Other information is stored in the 
memory unit 205. 

2. Encipher/Decipher Process 
(1) In response to an operation by the 
sender A, the random number generator unit 101 of the 
sender side apparatus 100 selects random numbers Oi 1 ^X lr 



<X 2 <=X 2 , reZq for the plaintext m (itisM) , and the 
exponentiation unit 102, calculation unit 103 and 
modular calculation unit 104 calculate: 

«i=<7i r , u 2 = 92 r , e = *( ai ,a 2 ,K)h r , v = gi ai c r di ar d2 Kr 

where <X = | | <X 2 . A ciphertext C of the transmission 
data m is generated by: 

C = E K {m) 

by using the symmetric cryptographic function E and key 
data K. In response to an operation by the sender A, 
the communication apparatus 106 of the sender side 
apparatus 100 transmits (u lf u 2 , e, v, C) as the 
ciphertext to the receiver side apparatus 200 via the 
communication line 300. 

(2) In response to an operation by the 
receiver B, the exponentiation unit 202, modular 
calculation unit 203 and calculation unit 204 of the 
receiver side apparatus 200 calculate, from the 
received ciphertext and by using the secret 
information, a\, CX' 2 , K' («» ie x 1# «' 2 gX 2 , K'eM) which 
satisfy: 

*{«' l \W 2 \\K>) = e/u 1 > 
If the following is satisfied (where 0C = <X' 1 | | a' 2 ) : 

g 1 a l Ul *l+<*'vil+K'y 21u2 X2+*' yi 2+K'y 22 _ y 



a decipher process is executed by: 
m = D K ,{C) 

where D is a decipher function corresponding to E. The 
deciphered results are output. If not satisfied, the 
effect that the received ciphertext is rejected is 
output as the decipher results . 

As another method of generating a ciphertext 
C, the sender generates the ciphertext C by: 

C = i^ailMIro) 

by using the (symmetric) cryptographic function E and 
key data K. The receiver checks whether the following 
is satisfied: 

g 1 °^Ui Xl+a ' yil+K ' y21 U2 X2+a ' yi12+K ' y22 = v, 
"ilK 2 = [D K '(C)] k ^ 

where [x] k indicates the upper k digits. If the check 
passes, a decipher process is executed by: 

77i = [D K ,(C)]-V° 1+k ^ 

where [x]" k indicates an integer train of x removed with 
the upper k digits. 

With the embodiment method, when a ciphertext 
is generated in response to an operation by the sender 
A, the sender side apparatus 100 selects beforehand the 
random numbers 0L 1 ^X 1 , (X 2 eX 2 and reZq and calculates and 
stores beforehand: 



ui=9i r , u 2 = g 2 r , h r , gi ai cTdi' 



Therefore, a load of an encipher process can be reduced 
considerably and the .process time can be shortened. 

IV Forth Embodiment 

In this embodiment, the message sender A 
enciphers transmission data m to the receiver B by 
common-key encipher (symmetric cryptography) , and the 
common key used is enciphered by the public-key 
cryptographic scheme of the second embodiment to be 
sent to the receiver B. 

Fig. 5 shows the outline of the embodiment. 

1. Key Generating Process 

In response to an operation by the receiver 
B, the key generator unit 201 of the reception side 
apparatus 200 generates beforehand secret information: 

•Xl,X2, J/11,2/12, 2/21, 2/22, * € Z g 

and public information: 

• P, Q • prime number (q is a prime factor of p- 1 ) 

• 91,92 S Zp : ordpfoi) = ordp^) = q 

• c = g 1 Xl g 2 X2 mod p, d x - gx yil g 2 yi2 mod p, d 2 = gi V21 g 2 V22 mod j>, h = g x x mod p, 

• ki, k 2 ,k 3 : positive constant (i0 fc i +fc 2 < q, 10** < q, io fc i +fc 2+ fc 3 < p ) 

• E : symmetric encipher function 

The public information is supplied to the sender side 
apparatus 100 or made public, via the communication 
line 300 or the like. A publicizing method may be 



registration in the third party (public information 
management facilities) or may be a well-known method. 
Other information is stored in the memory unit 205. 
2. Encipher/Decipher Process 
(1) In response to an operation by the 
sender A, the random number generator unit 101 of the 
sender side apparatus 100 selects random numbers 0C = 0t x 
|| « 2 ( laj = k t , |0C 2 | = k 2 ) for the key data K (Step 
501) (|K| = k 3 where |x| indicates the number of digits 
of x) , and calculates (Step 502): 

m = a\\K 

The random number generator unit 101 selects a random 
number rEZq, and the exponentiation unit 102, 
calculation unit 103 and modular calculation unit 104 
calculate : 

ui — gx mod p, u 2 = g<i mod p, e = m h r mod p, v = g 1 ai c r di ar d 2 rnr mod p 

In response to an operation by the sender A, the sender 
side apparatus 100 generates a ciphertext C of the 
transmission data m by: 

C = E K (m) 

by using the (symmetric) cryptographic function E and 
key data K (Step 503), and the communication unit 106 
transmits (u ir u 2 , e, v, C) as the ciphertext to the 
receiver side apparatus 2 00 via the communication line 
300 (Step 504) . 



(2) In response to an operation by the 
receiver B, the exponentiation unit 2 02, modular 
calculation unit 203 and calculation unit 204 of the 
receiver side apparatus 200 calculate" (Step 505), from 
the received ciphertext and by using the secret 
information, a 1 ir a' 2 , K' (lOt'J = k lf | « w 2 1 = k 2 , |K'| = 
k 3 ) which satisfy: 

a ill a 2lM^' = e /ui z modp 

If the following is satisfied (where (X' = (X^ | | (X' 2 ) 
(Step 506) : 

g^u x ^ +a ' y ^ +K '^u2 Xi+a ' yi2+K ' y22 = v (mod p) 

a decipher process is executed (Step 507) by: 
m = D K ,(C) 

where D is a decipher function corresponding to E. The 
deciphered results are output. If not satisfied, the 
effect that the received ciphertext is rejected is 
output as the decipher results (Step 508) . 

As another method of generating a ciphertext 
C, the sender generates the ciphertext C by: 

C = E K ( ai \\ a2 \\K) 

by using the (symmetric) cryptographic function E and 
key data K. The receiver checks whether the following 
is satisfied: 
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g^ufl+a'vu+K'^^+cc'yu+K'vn s y (m()d p)> 

If the check passes, a decipher process is executed by: 

m = [D JP (C)H* l+ *» ) 
where [x]~ k indicates an integer train' of x removed with 
the upper k digits . 

With the embodiment method, when a ciphertext 
is generated in response to an operation by the sender 
A, the sender side apparatus 100 selects beforehand the 
random numbers K lr <X 2 ( | oq | = k ir |<X 2 | = k 2 ) , reZq and 
calculates and stores beforehand: 

«i = 5i r mod p, U2 = </2 r mod p, h r mod p, ^i ai c r di ar mod p 

Therefore, a load of an encipher process can be reduced 
considerably. 

V Fifth Embodiment 

In this embodiment, the message sender A 
transmits transmission data m to the receiver B by 
cryptographic communications by using symmetric 
cryptography based upon the public-key cryptography of 
the first embodiment. This embodiment is more 
excellent in the efficiency than the method of the 
third embodiment. If the symmetric cryptography is 
non-malleable (IND-CPA) against chosen plaintext 
attacks, it is possible to verify that the symmetric 
cryptography is non-malleable against adaptive chosen 
ciphertext attacks (NM-CCA2) . In the embodiment 
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method, a key K itself is not transmitted but the 
sender and receiver share a seed so that the key can be 
generated. 

1. Key Generating Process 

In response to an operation by the receiver 
B, the key generator unit 201 of the reception side 
apparatus 200 generates beforehand secret information: 

•xi,x 2 ,yi,y2,z <=Z q 

and public information: 

• G,G' : finite (multiplicative) group G QG' 

• q : prime number (the order of G) 
•91,92 € G 

• c = gi Xl g2 X2 , d = gi yi 92 V3 , h = 9l z , 

• 7r : Xx x X 2 x M — > Dom(E) : one-to-one mapping 

• 7r _1 : Im(7r) > Xi x X 2 x M ( Dor n(E) is the domain of the function E) 

• H : hash function 

• E : symmetric encipher function 

where the group G is a partial group of the group G', X 1 
and X 2 are an infinite set of positive integers which 
satisfy: 

«ill«2 < 9 (Vai 6 X u Va 2 € X 2 ) 

The public information is supplied to the sender side 
apparatus 100 or made public, via the communication 
line 300 or the like. A publicizing method may be 
registration in the third party (public information 
management facilities) or may be a well-known method. 
Other information is stored in the memory unit 205. 



2. Encipher/Decipher Process 

(1) In response to an operation by the 
sender A, the random number generator unit 101 of the 
sender side apparatus 100 selects random numbers (X x eX lf 
« 2 GX 2 , reZq for transmission data m (meM, M is a 
plaintext space) , and the exponentiation unit 102, 
calculation unit 103 and modular calculation unit 104 
calculate : 

ui=gi r , u 2 =g 2 r , v = gi ^c r cr r , K = H(h r ) 

where Of = ot L | | 0£ 2 . A ciphertext C of the transmission 
data m is generated by: 

C = E K (n(ai,a2,m)) 

by using the (symmetric) cryptography. In response to 
an operation by the sender A, the communication 
apparatus 10 6 of the sender side apparatus 100 
transmits (u lf u 2 , v, C) as the ciphertext to the 
receiver side apparatus 200 via the communication line 
300. 

(2) In response to an operation by the 
receiver B, the exponentiation unit 202, modular 
calculation unit 203 and calculation unit 204 of the 
receiver side apparatus 200 calculate: 

K' = H( Ul z ) 

by using the secret information, and further calculate, 
from the received ciphertext, GL\ (Of, e X,, <X', e 



X 2 ) which satisfy: 

7r(ai,c4,m') = D K ,{C) 

where D is a cryptographic function corresponding to E. 
If the following is satisfied: 

m' is output as the deciphered results (where <X' = OL' x 
II 0C' 2 ), whereas if not satisfied, the effect that the 
received ciphertext is rejected is output as the 
decipher results. 

With the embodiment method, when a ciphertext 
is generated in response to an operation by the sender 
A, the sender side apparatus 100 selects beforehand the 
random numbers 0L 1 ^X 1 , « 2 gX 2 and reZq and calculates and 
stores beforehand u ir u 2 and v. Therefore, a load of an 
encipher process can be reduced considerably and the 
process time can be shortened. 

VI Sixth Embodiment 

In this embodiment, the message sender A 
transmits transmission data m to the receiver B by 
cryptographic communications by using symmetric 
cryptography based upon the public-key cryptography of 
the second embodiment. 

Fig. 6 illustrates the outline of the 
embodiment . 

1. Key Generating Process 



In response to an operation by the receiver 
B, the key generator unit 201 of the reception side 
apparatus 200 generates beforehand secret information: 

and public information: 

• P> Q '■ prime number (q is a prime factor of p-1) 

• 91,92 e Zp : ordp(^i) = ord,,^) = q 

• c = gi Xl 92 X2 mod p, d = Si yi 02 y2 mod p, h = g-f mod p, 

• k u k 2t k 3 : positive constant (lO fcl+fe2 < q, 10** < q, 10 fel+fc2+fe 3 < p) 

• H : hash function 

• E : symmetric encipher function (the domain of E is all positive integers) 

The public information is supplied to the sender side 
apparatus 100 or made public, via the communication 
line 300 or the like. A publicizing method may be 
registration in the third party (public information 
management facilities) or may be a well-known method. 
Other information is stored in the memory unit 205. 

2 . Encipher/Decipher Process 

In response to an operation by the sender A, 
the random number generator unit 101 of the sender side 
apparatus 100 selects (step 602) random numbers (X = 0^ 
II (X 2 (laj = k ir |<X 2 | = k 2 , where |x| is the number of 
digits of x) for the plaintext m (msM, M is a plaintext 
space) (Step 601) , and further selects a random number 
reZq. The exponentiation unit 102, calculation unit 
103 and modular calculation unit 104 calculate: 
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ui =g x r modp, u 2 = £ 2 r mod p, v = 0i £n c r d ar modp, If = jy(/i r mod 

The sender side apparatus 100 generates a ciphertext C 
of the transmission data m by: 

C = E K ( ai \\a2\\m) 

by using the (symmetric) cryptographic function E (Step 

603) . The communication apparatus 106 transmits (u lf 
u 2 , v, C) as the ciphertext to the receiver side 
apparatus 200 via the communication line 300 (Step 

604) . 

In response to an operation by the receiver 
B, the exponentiation unit 202, modular calculation 
unit 203 and calculation unit 204 of the receiver side 
apparatus 200 calculate: 

K' = H{u x z mod p) 

by using the secret information, and further calculate 
(Step 605), from the received ciphertext, (X' ir (X' 2 ( [ 0C * x | 
= k ir |<X' 2 ] = k 2 ) which satisfy: 

a' 1 \\a!>\\m' = D K ,(C) 

If the following is satisfied (Step 606) : 

g^ufl+fvi^+a^ = v (mod p) 

m' is output as the deciphered results (where (X' = 0i\ 
II (X' 2 ) (Step 607), whereas if not satisfied, the effect 
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that the received ciphertext is rejected is output as 
the decipher results (Step 608) . 

With the embodiment method, when a ciphertext 
is generated in response to an operation by the sender 

A, the sender side apparatus 100 selects beforehand the 
random numbers CL lr 0C 2 ( 1 0^ | = k x , 1 0C 2 1 = k 2 ) and r Zq, 
and calculates and stores beforehand u lf u 2 and v. 
Therefore, a load of an encipher process can be reduced 
considerably and the process time can be shortened. 

VII Seventh Embodiment 

In this embodiment, the message sender A 
transmits transmission data m to the receiver B by 
cryptographic communications by using another 
asymmetric cryptography and the public-key cryptography 
of the first embodiment. In this embodiment, a weak 
asymmetric cryptography (NM-CPA) can be transformed 
into a non-malleable cryptography (NM-CCA2) . 

1. Key Generating Process 

In response to an operation by the receiver 

B, the key generator unit 2 01 of the reception side 
apparatus 200 generates beforehand secret information: 

• sk : (asymmetric) decipher key 



and public information: 



• G : finite (multiplicative) group 

• g : prime number (the order of G) 
•9i,92 €<7 

• 7r : X\ x X2 x M — > Dom(E) : one-to-one mapping 

• 7r -1 : Im(7r) > Xi x X 2 x M ( Dom ( E ) is me domain of the function E) 

• E pk(-) ■ (asymmetric cryptography) encipher function 

where the group G is a partial group of the group G', x x 
and X 2 are an infinite set of positive integers which 
satisfy: 

<*l ||aa < q (Vai € X x , Va 2 € X 2 ) 

M is a plaintext space. The public information is 
supplied to the sender side apparatus 100 or made 
public, via the communication line 300 or the like. A 
publicizing method may be registration in the third 
party (public information management facilities) or may 
be a well-known method. Other information is stored in 
the memory unit 205. 

2. Encipher /Decipher Process 

In response to an operation by the sender A, 
the random number generator unit 101 of the sender side 
apparatus 100 selects random numbers a 1 ^X 1 , a 2 eX 2 , 
reZq, and the exponentiation unit 102, calculation unit 
103 and modular calculation unit 104 calculate: 

«i = 9i > u 2 = 92 r , v = g x ai c r cP r 

where (X = <X X | | <x 2 . The sender side apparatus 100 
generates a ciphertext C of the transmission data m by: 



e = E pk (n(ai,a 2 ,m)) 

by using the (asymmetric) cryptographic function E pk . 
In response to an operation by the sender A, the 
communication apparatus 106 transmits [u lr u 2 , e, v) as 
the ciphertext to the receiver side apparatus 200 via 
the communication line 300. 

In response to an operation by the receiver 
B, the exponentiation unit 202, modular calculation 
unit 203 and calculation unit 204 of the receiver side 
apparatus 200 calculate, from the received ciphertext, 
a' lr a* 2 and m' (a^EX^ a' 2 eX 2 , and m* geM) which 
satisfy: : 

Tr(a[,a' 2 ,m') = D sk (e) 

(where D sk is a decipher function corresponding to E pk ) 
by using the secret information. 
If the following is satisfied: 

where : 

a' = ai||4 

m' is output as the deciphered results, whereas if not 
satisfied, the effect that the received ciphertext is 
rejected is output as the decipher results. With the 
embodiment method, when a ciphertext is generated in 
response to an operation by the sender A, the sender 



- 31 - 

side apparatus 100 selects beforehand the random 
numbers (X'^Xj, 0C' 2 eX 2 , and reZq and calculates and 
stores beforehand u ir u 2 and v. Therefore, a load of an 
encipher process can be reduced considerably and the 
process time can be shortened. 

VIII Eighth Embodiment 

In this embodiment, similar to the seventh 
embodiment, the message sender A transmits transmission 
data m to the receiver B by cryptographic 
communications by using the asymmetric cryptography 
based upon the public-key cryptography of the second 
embodiment . 

1 . Key Generating Process 

In response to an operation by the receiver 
B, the key generator unit 201 of the reception side 
apparatus 200 generates beforehand secret information: 

• sk • (asymmetric cryptography) decipher key 

and public information: 

• P, Q ' prime number (q is a prime factor of p- 1) 

• Si, 02 € Z p : ordp(^i) = ord p (# 2 ) = q 

• c = gi Xl g2 X2 modp, d = gi Vl g2 y3 modp, 

• ki,k 2 : positive constant (l0 fcl+fcs < g) 

•' (asymmetric cryptography) 
encipher function (the domain is all 
positive integers) 
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The public information is supplied to the sender side 
apparatus 100 or made public, via the communication 
line 300 or the like. A publicizing method may be 
registration in the third party (public information 
management facilities) or may be a well-known method. 
Other information is stored in the memory unit 205. 

2. Encipher/Decipher Process 

In response to an operation by the sender A, 
the random number generator unit 101 of the sender side 
apparatus 100 selects random numbers (X = 0^ | | 0C 2 ( f <X a | = 
k 1A |(X 2 | = k 2 , where |x| is the number of digits of x) , 
and further selects a random number reZq. The 
exponentiation unit 102, calculation unit 103 and 
modular calculation unit 104 calculate: 

«i = 9i mod p, u 2 = #2 r mod p, v = gi ai c r <P r mod p 

In response to an operation by the sender A, the sender 
side apparatus 100 generates a ciphertext C of the 
transmission data m (positive integer) by: 

e = £ pjfe (a 1 ||a 2 ||m) 

by using the (asymmetric) cryptographic function E. The 
communication apparatus 106 transmits (u x , u 2 , e, v) as 
the ciphertext to the receiver side apparatus 200 via 
the communication line 300. 

In response to an operation by the receiver 
B, the exponentiation unit 202, modular calculation 
unit 203 and calculation unit 204 of the receiver side 



apparatus 200 calculate, from the received ciphertext 
and by using the secret information, a' lf a' 2 and m' 
( la'il = k L , |a' 2 | = k 2 , m* is a positive integer) which 
satisfy: : 

<4||o6||m'-I>*(e) 

where D sk is a decipher function corresponding to E pk . 
If the following is satisfied: 

gi < Ul *i+«'yi U2 *2+ a ' y2 s v (mod p ^ 

where: 

m 1 is output as the deciphered results, whereas if not 
satisfied, the effect that the received ciphertext is 
rejected is output as the decipher results. With the 
embodiment method, when a ciphertext is generated in 
response to an operation by the sender A, the sender 
side apparatus 100 selects beforehand the random 
numbers a lf a 2 (laj - k 1# \a 2 \ = k 2 ) , and rgZq and 
calculates and stores beforehand u lr u 2 and v. 
Therefore, a load of an encipher process can be reduced 
considerably. 

In each of the embodiments described above, 
cryptographic communications are performed by using the 
apparatuses of the sender and receiver, which is a 
general system. Various systems may also be used. 

For example, in an electronic shopping 



system, a sender is a user, a sender side apparatus is 
a computer such as a personal computer, a receiver is a 
retail shop and its clerk, and a receiver side 
apparatus is an apparatus in the retail shop such as a 
computer, e.g., a personal computer in the shop. An 
order sheet of a commodity ordered by the user or a key 
generated when the order sheet is enciphered is 
enciphered by the embodiment method and transmitted to 
the apparatus of the retail shop. 

In an email cryptographic system, each 
apparatus is a computer such as a personal computer, 
and a message of the sender or a key generated when the 
message is enciphered is enciphered by the embodiment 
method and transmitted of the receiver side computer. 

Each embodiment is also applicable to various 
systems using conventional cryptographic techniques. 

Various digitalized data (multimedia data) 
can be used as a plaintext or message of each 
embodiment. Calculations of each embodiment are 
performed by executing each program in a memory by a 
CPU. Some of calculations may be performed not by a 
program but by a hardware calculation unit which 
transfers data to and from another calculation unit and 
CPU. 



